CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 40 – Terms of Use

Ballot 40 – Terms of Use

Ballot 40 – Terms of Use (Passed Unanimously)

Motion

Ben Wilson made the following motion, and Doug Pelton and Brian Trzupek endorsed it:

The treatment of parents, affiliates, and subsidiaries in the EV Guidelines does not accommodate the realities of most large corporate infrastructures and should be redefined. Also, according to some interpretations of contract law principles, an entity cannot enter into an artificial and unenforceable reciprocal contract with itself (i.e., no arms-length exchange of promises as consideration to make the agreement binding, etc.), so it is proposed that a CA issuing Certificates internally have an Applicant Representative accept “Terms of Use” that are equivalent to a Subscriber Agreement.

Motion begins

A. EFFECTIVE IMMEDIATELY, in 3. Definitions, DELETE: Affiliate of a CA: A corporation, partnership, joint venture or other entity controlling, controlled by or under common control with a CA. As used in this definition, “control” (and its correlative meanings, “controlled by” and “under common control with”) means possession, directly or indirectly, of more than fifty percent of the voting shares of such entity or the power to direct the management and affairs of such entity.

Applicant Representative: An individual person employed by the Applicant: (i) who signs and submits, or approves an EV Certificate Request on behalf of the Applicant, and/or (ii) who signs and submits a Subscriber Agreement on behalf of the Applicant.

Parent Company: A company that owns a majority of a Subsidiary Company and this can be verified by reference to a QIIS or from financial statements supplied by a registered Chartered Professional Accountant (CPA) or equivalent outside of the USA.

Subsidiary Company: A subsidiary company is defined as a company that is majority owned by the Applicant as verified by reference to a QIIS, or from financial statements supplied by a registered Chartered Professional Accountant (CPA) or equivalent outside of the USA.

And, in 3. Definitions, INSERT: Affiliate: A corporation, partnership, joint venture or other entity controlling, controlled by or under common control with another entity as determined by reference to a QIIS, QGIS, QTIS, Verified Legal Opinion, or Verified Accountant Letter.

Applicant Representative: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant: (i) who signs and submits, or approves an EV Certificate Request on behalf of the Applicant, and/or (ii) who signs and submits a Subscriber Agreement on behalf of the Applicant, and/or (iii) who acknowledges and agrees to the EV Certificate Terms of Use on behalf of the Applicant when the Applicant is an Affiliate of the CA.

Control: “Control” (and its correlative meanings, “controlled by” and “under common control with”) means possession, directly or indirectly, of the power to: (1) direct the management, personnel, finances, or plans of such entity; (2) control the election of a majority of the directors; or (3) vote that portion of voting shares required for “control” under the law of the entity’s Jurisdiction of Incorporation or Registration but in no case less than 10%.

Parent Company: A company that Controls a Subsidiary Company as determined by reference to a QIIS, QGIS, QTIS, Verified Legal Opinion, or Verified Accountant Letter. Subsidiary Company: A company that is controlled by a Parent Company as determined by reference to a QIIS, QGIS, QTIS, Verified Legal Opinion, or Verified Accountant Letter. Terms of Use: Those provisions regarding the safekeeping and acceptable uses of the EV Certificate in accordance with the Guidelines that an Applicant Representative acknowledges and accepts on behalf of an Applicant when such Applicant is an Affiliate of the CA.

B. EFFECTIVE IMMEDIATELY, in 6.2.1(2) Certificate Warranties, DELETE: (F) Subscriber Agreement: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines;

And, in 6.2.1(2) Certificate Warranties, INSERT: (F) Subscriber Agreement: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or the Applicant Representative has acknowledged and accepted the Terms of Use;

C. EFFECTIVE IMMEDIATELY, in 6.2.2, DELETE: 6.2.2 By the Subscriber

The CA will require, as part of the Subscriber Agreement, that the Subscriber make the commitments and warranties set forth in Section 9.3, for the benefit of the CA and the EV Certificate Beneficiaries.

And, in 6.2.2, INSERT: 6.2.2 By the Subscriber

The CA will require that the Subscriber (by the Contract Signer as part of the Subscriber Agreement or the Applicant Representative as part of the Terms of Use) make the commitments and warranties set forth in Section 9.3, for the benefit of the CA and the EV Certificate Beneficiaries.

D. EFFECTIVE IMMEDIATELY, in subsection (2) of 9.1.1 Documentation Requirements, REPLACE: “ Subscriber Agreement” with “Subscriber Agreement and Terms of Use”

E. EFFECTIVE IMMEDIATELY, in 9.1.2 Role Requirements, INSERT: (4) Applicant Representative: Terms of Use applicable to the requested EV Certificate MUST be acknowledged and agreed to by an authorized Applicant Representative. An Applicant Representative is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to acknowledge and agree to the Terms of Use.

F. EFFECTIVE IMMEDIATELY, in 9.3 Subscriber Agreement Requirements, DELETE: 9.3 Subscriber Agreement Requirements

9.3.1 General

Prior to the issuance of the EV Certificate, the CA MUST obtain the Applicant’s agreement to a legally enforceable Subscriber Agreement with the CA for the express benefit of Relying Parties and Application Software Vendors. The Subscriber Agreement MUST be signed by an authorized Contract Signer acting on behalf of the Applicant in accordance with Section 10.8 of these Guidelines, and MUST apply to the EV Certificate to be issued pursuant to the EV Certificate Request. A separate Subscriber Agreement MAY be used for each EV Certificate Request, or a single Subscriber Agreement MAY be used to cover multiple future EV Certificate Requests and resulting EV Certificates, so long as each EV Certificate that the CA issues to the Applicant is clearly covered by a Subscriber Agreement signed by an authorized Contract Signer acting on behalf of the Applicant.

And, in 9.3, INSERT: 9.3 Requirements for Subscriber Agreement and Terms of Use

9.3.1 General

Prior to the issuance of the EV Certificate, the CA MUST obtain, for the express benefit of Relying Parties and Application Software Vendors, either: (A) the Applicant’s agreement to a legally enforceable Subscriber Agreement with the CA, or (B) the Applicant Representative’s acknowledgement and agreement to the Terms of Use. The Subscriber Agreement MUST be signed by an authorized Contract Signer acting on behalf of the Applicant or the Terms of Use MUST be acknowledged and agreed to by an authorized Applicant Representative acting on behalf of the Applicant, each in accordance with Section 10.8 of these Guidelines, and MUST apply to the EV Certificate to be issued pursuant to the EV Certificate Request. A separate Subscriber Agreement or Terms of Use document MAY be used for each EV Certificate Request, or a single Subscriber Agreement or Terms of Use document MAY be used to cover multiple future EV Certificate Requests and resulting EV Certificates, so long as each EV Certificate that the CA issues to the Applicant is clearly covered by that Subscriber Agreement or Terms of Use.

G. EFFECTIVE IMMEDIATELY, RENAME “9.3.2 Agreement Requirements” to “9.3.2 Subscriber Agreement Requirements”

H. EFFECTIVE IMMEDIATELY, in 9.3 Subscriber Agreement Requirements, INSERT: 9.3.3 Terms of Use Requirements

The Terms of Use MUST, at a minimum, contain provisions imposing on the Applicant the following obligations:

– Accuracy of Information: An obligation to provide accurate and complete information at all times to the CA, both in the EV Certificate Request and as otherwise requested by the CA in connection with the issuance of the EV Certificate(s) to be supplied by the CA;

– Protection of Private Key: An obligation by the Applicant to take all reasonable measures to maintain sole control of, keep confidential, and properly protect at all times the Private Key that corresponds to the Public Key to be included in the requested EV Certificate(s) (and any associated access information or device, e.g. password or token);

– Acceptance of EV Certificate: An obligation that Applicant will not install and use the EV Certificate(s) until it has reviewed and verified the accuracy of the data in each EV Certificate;

– Use of EV Certificate: An obligation to install the EV Certificate only on the server accessible at a Domain Name listed on the EV Certificate, and to use the EV Certificate solely in compliance with all applicable laws;

– Reporting and Revocation Upon Compromise: An obligation to promptly cease using an EV Certificate and its associated Private Key, and promptly request the CA to revoke the EV Certificate, in the event that: (i) any information in the EV Certificate is or becomes incorrect or inaccurate, or (ii) there is any actual or suspected misuse or compromise of the Subscriber’s Private Key associated with the Public Key listed in the EV Certificate;

– Termination of Use of EV Certificate: An obligation to promptly cease all use of the Private Key corresponding to the Public Key listed in an EV Certificate upon expiration or revocation of that EV Certificate.

I. EFFECTIVE IMMEDIATELY, in subsection (3)(B) of 10.1.1 Verification Requirements – Overview, DELETE: (B) Verify that a Contract Signer signed the Subscriber Agreement, and

And, in 10.1.1 Verification Requirements – Overview, INSERT: (B) Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and

J. EFFECTIVE IMMEDIATELY, in subsection (4) of 11.2.2 Revocation Events, REPLACE: “Subscriber Agreement” with “Subscriber Agreement or Terms of Use”

K. EFFECTIVE IMMEDIATELY, in 13.3.2 Use of Pre-Existing Information or Documentation, DELETE: (1) Each EV Certificate issued by the CA MUST be supported by a valid current EV Certificate Request and a Subscriber Agreement signed by the appropriate Applicant Representative on behalf of the Applicant.

And in 13.3.2 Use of Pre-Existing Information or Documentation, INSERT: (1) Each EV Certificate issued by the CA MUST be supported by a valid current EV Certificate Request and a Subscriber Agreement signed by the appropriate Applicant Representative on behalf of the Applicant or Terms of Use acknowledged by the appropriate Applicant Representative.

L. EFFECTIVE IMMEDIATELY, in Appendix H – Code Signing: Requirements for Certification Authorities (Normative), REPLACE: “Subscriber Agreement” with “Subscriber Agreement or Terms of Use”

Motion ends

The ballot review period comes into effect at 2100 UTC on 26 Mar ’10 and will close at 2100 UTC on 6 Apr ’10. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2100 UTC on 13 Apr ’10.

Votes must be cast by “reply all’ to this email.

A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).